php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79208 Seg fault in _emalloc_320
Submitted: 2020-02-01 17:59 UTC Modified: 2020-02-04 13:29 UTC
From: changochen1 at gmail dot com Assigned:
Status: Duplicate Package: Scripting Engine problem
PHP Version: master-Git-2020-02-01 (Git) OS: ALL
Private report: No CVE-ID: None
 [2020-02-01 17:59 UTC] changochen1 at gmail dot com
Description:
------------
We found a seg fault in cli/php(PHP 8.0.0-dev (cli) (built: Jan 31 2020 21:52:09) ( NTS ))

Run the test script with "php -f poc.php"

The backtrace from asan is:
===
==429843==ERROR: AddressSanitizer: SEGV on unknown address 0x0000b8443768 (pc 0x000000d86238 bp 0x7fffeec35800 sp 0x7fffeec357d0 T0)
    #0 0xd86237 in _emalloc_320 (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xd86237)
    #1 0xe7e44f in zend_hash_real_init_mixed (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe7e44f)
    #2 0xe85436 in zend_hash_add_new (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe85436)
    #3 0xed43af in zend_fetch_debug_backtrace (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xed43af)
    #4 0xee659f in zend_default_exception_new_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xee659f)
    #5 0xee6f75 in zend_default_exception_new (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xee6f75)
    #6 0xe523f0 in object_init_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe523f0)
    #7 0xef51e6 in zend_throw_exception (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xef51e6)
    #8 0xe42e10 in zend_throw_error (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe42e10)
    #9 0x1015e5f in ZEND_INIT_DYNAMIC_CALL_SPEC_TMPVAR_HANDLER (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1015e5f)
    #10 0x12459c8 in execute_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x12459c8)
    #11 0xdf5a2f in zend_call_function (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdf5a2f)
    #12 0xdf3145 in _call_user_function_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xdf3145)
    #13 0xe418a0 in zend_error_va_list (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe418a0)
    #14 0xe427b5 in zend_error (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe427b5)
    #15 0xfb6611 in zend_undefined_index (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xfb6611)
    #16 0xfbfe42 in zend_fetch_dimension_address_read_R (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xfbfe42)
    #17 0x1034d92 in ZEND_FETCH_DIM_R_SPEC_CONST_TMPVAR_HANDLER (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1034d92)
    #18 0x124c9c2 in execute_ex (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x124c9c2)
    #19 0x127aab7 in zend_execute (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x127aab7)
    #20 0xe43dfb in zend_execute_scripts (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xe43dfb)
    #21 0xcab3b7 in php_execute_script (/home/rxz226/php-src/bld_asan/sapi/cli/php+0xcab3b7)
    #22 0x1280971 in do_cli (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1280971)
    #23 0x1282acb in main (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x1282acb)
    #24 0x7f9ec764482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #25 0x428a78 in _start (/home/rxz226/php-src/bld_asan/sapi/cli/php+0x428a78)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 _emalloc_320
==429843==ABORTING

Test script:
---------------
<? array () [ set_error_handler ( function () {                        (   set_error_handler ( function () {                    $a  [ $GLOBALS [ $a  ] =   $a       ]  = 2 ;                    }                      )  == list ( $a [ ++ $b [ 1 ] ]   ) =   $GLOBALS [     var_dump ( $GLOBALS )     ] = & $b     )   ()   ;                       }
                         ) ]  ;


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-01 19:41 UTC] stas@php.net
-Type: Security +Type: Bug -Package: CGI/CLI related +Package: Scripting Engine problem
 [2020-02-03 15:35 UTC] nikic@php.net
This is likely the same issue as bug #78598.
 [2020-02-04 13:29 UTC] nikic@php.net
-Status: Open +Status: Duplicate
 [2020-02-04 13:29 UTC] nikic@php.net
I confirmed that fixing bug #78598 fixes this one as well, so marking as duplicate.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC